[Pkg-javascript-devel] Bug#1130880: node-undici: CVE-2026-1526
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 15 15:24:02 GMT 2026
Source: node-undici
Version: 7.18.2+dfsg+~cs3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-undici.
CVE-2026-1526[0]:
| The undici WebSocket client is vulnerable to a denial-of-service
| attack via unbounded memory consumption during permessage-deflate
| decompression. When a WebSocket connection negotiates the
| permessage-deflate extension, the client decompresses incoming
| compressed frames without enforcing any limit on the decompressed
| data size. A malicious WebSocket server can send a small compressed
| frame (a "decompression bomb") that expands to an extremely large
| size in memory, causing the Node.js process to exhaust available
| memory and crash or become unresponsive. The vulnerability exists
| in the PerMessageDeflate.decompress() method, which accumulates all
| decompressed chunks in memory and concatenates them into a single
| Buffer without checking whether the total size exceeds a safe
| threshold.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-1526
https://www.cve.org/CVERecord?id=CVE-2026-1526
[1] https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list